Archive for the ‘Exchange’ Category

Microsoft 365, Outlook, & MFA

When you enable multifactor authentication in Microsoft 365 (formerly Office 365) with an existing tenant, Outlook starts asking for a password and will not accept your current Microsoft 365 password.  You then need to use app passwords for Outlook, rather than standard MFA with your password and a second option such as the Microsoft Authentication app, Txt, E-mail, or call.  Those options work fine with access to Web and other Office Apps but not Outlook. See the following link to manage App Passwords; https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-app-passwords#:~:text=To%20create%20app%20passwords%20using%20the%20Office%20365,password%2C%20and%20then%20select%20Next.%20More%20items…%20

You can however enable standard MFA methods for Outlook using powershell.  The credit for most of the instructions below goes to; https://www.petri.com/enable-modern-authentication-exchange-online

Instructions to enable MFA with Exchange On-line (paraphrased)

When asked for credentials, you need to use an O365 admin account that does not have MFA enabled.  I create one without an Office license just for this.

I use the PowerShell ISE but I suspect standard PowerShell run as admin will work as well

Connect to an Exchange PowerShell session by running the following 2 lines

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

This is not in the Petri link above, but you need to run the following line to allow running scripts

Set-ExecutionPolicy RemoteSigned

Test if MFA is already enabled.  Will return “false” if not enabled

Get-OrganizationConfig | ft name, *OAuth*

Assuming not enabled run

Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true

Then run the following again to confirm now enabled, i.e. “True”

Get-OrganizationConfig | ft name, *OAuth*

Close session

Remove-PSSession $Session

I find it takes 30-60 minutes before the policy is applied and changes in use

The Mailbox has been Quarantined

I recently came a cross issue with an Exchange server running out of room and after the cleanup, one user only, would receive the message; “Cannot open your default e-mail folders.  Microsoft Exchange is not available.  Either there are network problems or the Exchange server is down for maintenance.”

image

The same user could also not log into Outlook Web Access.  After verifying DNS was working correctly, and then reviewing the server’s Event Viewer Application  logs at the time of the failure, a MSExchangeIS error with Sevent ID 10018 was noted.  “The mailbox for user 10c98e9d-1bcb-441c-a5bc-1a3fa19336f8: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=John Doe has been quarantined. Access to this mailbox will be restricted to administrative logons for the next 6 hours.”

image

The Microsoft articles listed below reference this issue and how to resolve.  Assuming there is no corruption with the mailbox you can verify there is a quarantined mailbox by viewing and simply deleting the registry key under:  HKLMSYSTEMCurrentControlSetServicesMSExchangeIS<Server Name>Private-{db guid}QuarantinedMailboxes

I recommend, as always, backing up the registry before doing so.  Then to apply the change restart the Microsoft Exchange Information Store service.

https://support.microsoft.com/en-us/kb/2603736

https://technet.microsoft.com/library/bb331958.aspx#SH

Tag Cloud